Looks like I somehow sent an empty reply by mistake the first time around. Let's try again...
On Fri, 2020-04-03 at 16:04 +0200, Erik Skultety wrote: > On Fri, Apr 03, 2020 at 03:50:21PM +0200, Andrea Bolognani wrote: > > I have tested this, though not extensively, on Linux and adding > > User=gitlab to the service file seems to be basically all that's > > Did ^this actually work? I recall having some issues on Linux when I used the > User= directive and I could not get the agent pull a job from the server, It would seem that way: https://gitlab.com/abologna/libvirt/pipelines/132661098 Pay no attention to the failures in the second round of jobs, the Docker daemon seems to be having some trouble getting in touch with quay.io right now. It managed to pull the two images necessary for the prebuild jobs before that, however. Of course for that to work I had to add the gitlab user to the docker group, which is another potential attack venue... The alternative is running everything as root, however, so it would still seem preferable to that. Hopefully at some point gitlab-runner will grow a Podman executor :) -- Andrea Bolognani / Red Hat / Virtualization
